I want to do some rule profiling work with Suricata engine. I found so basically I would need to do as this describes to compile Suricata with
enable-profiling and also enable it in the config yaml file. I’ve done both of them. Right now I tested with some pcap files but could not get the
rule_profile log from there. However I could see the
packet_profile file got generated. So I would like to get some helps.
I have 2 guesses.
- If running in IDS mode is a problem to get that
- Does it need some real traffic instead of pcap files to get that profiling result?
I am assuming AF_packet and NF_queue mode should have no impact on this functionality.
Pasting my suricata.yaml below in case they are helpful.
# Run profiling for every xth packet. The default is 1, which means we # profile every packet. If set to 1000, one packet is profiled for every # 1000 received. sample-rate: 1 # rule profiling rules: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: rule.log # Sort options: ticks, avgticks, checks, matches, maxticks # If commented out all the sort options will be used. #sort: avgticks # Limit the number of sids for which stats are shown at exit (per sort). limit: 10 # per keyword profiling keywords: enabled: no filename: keyword_perf.log append: yes prefilter: enabled: no filename: prefilter_perf.log append: yes # per rulegroup profiling rulegroups: enabled: no filename: rule_group_perf.log append: yes # packet profiling packets: # Profiling can be disabled here, but it will still have a # performance impact if compiled in. enabled: yes filename: packet_stats.log append: yes